| 1921 |
2020-09-29 09:35
|
S02IVS40GP4N.doc afd9018d26007e0d9686a335801f3370
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
2
http://edu.jmsvclass.com/wp-includes/sZmjSq/
http://38.18.235.242/IcKaqWXLrGj/szawWpkr5bo9VpCttEI/qa3aWeZpdQZVO/QnBtCtY/oiWENMkDor61zf1lK/Mfvy1v5UPQP/
|
2
160.153.210.213
38.18.235.242
|
4
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
5.2 |
|
22 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1922 |
2020-09-29 09:43
|
hHAiHl284xjimxTyEb7.exe f4e24b367f402e450e1349a9e12e5f28
Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://167.71.227.113:8080/N7oz3wlXYGqub32robD/2ac0VOBpE/EaIL6gH5v/ogohG4oKV/
|
2
167.71.227.113
49.243.9.118
|
|
|
6.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1923 |
2020-09-29 10:12
|
Mes_20200929_0697.doc b5a904026f1a39ef2308bf94afea96ac
Vulnerability Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
2
http://128.92.203.42/3PCga7kiz/0Z2A4bpUCXpHnGVd/r5kxqLjJnC4hQ05W/ruZParGqHycRyKZtfx3/
http://babyshop.webdungsan.com/wp-admin/n/
|
2
103.124.92.99
128.92.203.42
|
4
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
4.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1924 |
2020-09-29 10:13
|
m2uoji6w.pdf.exe 93bb6e22daed74acd13a9bdc6bcf2f4f
VirusTotal Malware PDB unpack itself crashed |
|
|
|
|
2.2 |
M |
18 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1925 |
2020-09-29 10:16
|
cVyk4fksxqUz0Kmh.exe a039f79dfab191ad8c0aadc194baca53
Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://128.92.203.42/b3cT/XTE3ge/KGu5mB/
|
1
|
|
|
5.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1926 |
2020-09-29 10:18
|
whe.exe 5c66720dc80a18f0fc5b525d48efd118
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Checks debugger unpack itself malicious URLs Ransomware Windows Browser Tor Email ComputerName Software crashed |
|
|
|
|
7.4 |
M |
49 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1927 |
2020-09-29 10:18
|
fr.exe cbb05276c2da12af44039e256c755219
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Checks debugger unpack itself malicious URLs Ransomware Windows Browser Tor Email ComputerName Software crashed |
|
|
|
|
7.4 |
M |
49 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1928 |
2020-09-29 10:23
|
견적서_L-Ar_191014-pdf.exe 49cdf06ad4023203ebcf2a279f078aae
VirusTotal Malware Buffer PE suspicious privilege Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
6.8 |
|
31 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1929 |
2020-09-29 10:28
|
moon.exe 89cafef93dbf558c2894364ba4ead754
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Ransomware Windows Tor ComputerName crashed |
|
|
|
|
11.4 |
|
44 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1930 |
2020-09-29 10:32
|
Rep_2020_09_29.doc ed6428b8d3e8082dbd602561ad399213
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
2
http://128.92.203.42/u6Fy3sEK0ifP6z/
http://babyshop.webdungsan.com/wp-admin/n/
|
2
103.124.92.99
128.92.203.42
|
4
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
5.2 |
|
20 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1931 |
2020-09-29 10:34
|
raw.exe 2d46889b6d794ac1fcf58bf340c4666a
VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs WriteConsoleW Tofsee ComputerName DNS |
1
https://paste.nrecom.net/view/raw/a4eca577
|
1
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
|
29 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1932 |
2020-09-29 10:35
|
pIJpOlcz.exe fa62345d40283d2935893a10f9456497
VirusTotal Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://128.92.203.42/nP6noF7Ky6vY4U9Q2MA/cjRryf7FYz1/sMWYqsChHTUqysW/SIQT3XiRK15Hfj9ka/
|
1
|
|
|
6.0 |
|
15 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1933 |
2020-09-29 10:38
|
Tax Challan.exe f66f4ff235e4119b8231ae6bd22a7aac
VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName DNS keylogger |
|
1
|
|
|
12.6 |
|
50 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1934 |
2020-09-29 10:39
|
견적서_L-Ar_191014-pdf.exe 49cdf06ad4023203ebcf2a279f078aae
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
13.6 |
|
31 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1935 |
2020-09-29 11:21
|
zxcv.EXE 92821d6dd83105f5f2d08c43f28fa309
Browser Info Stealer Emotet Malware download FTP Client Info Stealer Vidar Azorult VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency powershell Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Collect installed applications powershell.exe wrote Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization VM Disk Size Check human activity check installed browsers check Tofsee Ransomware Interception Zeus OskiStealer Stealer Windows Browser Email ComputerName DNS Cryptographic key Software crashed Downloader |
24
http://ferreira.ac.ug/index.php
http://nadia.ac.ug/
http://nadia.ac.ug/freebl3.dll
http://cnmotoparts.online/gate/libs.zip
http://cnmotoparts.online/gate/libs.zip
http://nadia.ac.ug/mozglue.dll
http://nadia.ac.ug/msvcp140.dll
http://cnmotoparts.online/gate/libs.zip
http://nadia.ac.ug/nss3.dll
http://ferreira.ac.ug/ac.exe
http://ferreiranadii.ac.ug/ds1.exe
http://ferreira.ac.ug/rc.exe
http://ferreira.ac.ug/ds1.exe
http://cnmotoparts.online/gate/libs.zip
http://ferreiranadii.ac.ug/ac.exe
http://ferreiranadii.ac.ug/rc.exe
http://ferreira.ac.ug/index.php
http://nadia.ac.ug/sqlite3.dll
http://cnmotoparts.online/file_handler4/file.php?hash=6cdfdf419af0bd0a62dd40155eca58436ab12ba0&js=6695ee24e4a8273aee2ea33a2bde08662448549b&callback=http://cnmotoparts.online/gate
http://ferreira.ac.ug/ds2.exe
http://nadia.ac.ug/vcruntime140.dll
http://cnmotoparts.online/gate/sqlite3.dll
http://nadia.ac.ug/softokn3.dll
http://nadia.ac.ug/main.php
http://cnmotoparts.online/gate/log.php
http://ferreiranadii.ac.ug/ds2.exe
http://cnmotoparts.online/gate/libs.zip
https://telete.in/brikitiki
https://cdn.discordapp.com/attachments/752128569169281083/760175342396112916/Acdk123
|
6
161.117.254.2
162.159.134.233
162.159.138.232
194.5.98.95
195.201.225.248
217.8.117.77
|
10
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE AZORult v3.3 Server Response M2
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
|
|
28.6 |
M |
26 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|